Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - touse


  • Please log in to reply
105 replies to this topic

#1 touse

touse

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 20 December 2004 - 06:23 PM

Hi all,

I was kindly referred to this forum by phawgg. Reason for me being here: my father's computer is in trouble and I think it was me that imported the trouble from the internet.

Best you know up front that Iím NOT computer knowledgeable. I'll try to describe what's going on.

Computer situation: the infected pc is a computer in my father's offices. It's the only one that has an internet connection, so, my brothers and I, we all flock to that computer to surf the net. But the pc is also used in a professional capacity (o.a. for transferring policies to insurance companies via Portima, Brokers Extranet), and that's what's making me especially apprehensive: if the problems escalate this might mean serious trouble.

Technical information: System properties: Microsoft Windows 2000 (professional NT) Service pack 4. Browser: Internet Explorer. Anti-virus software: F- Secure, which is automatically updated. (If you need more information, let me know - and could you possibly tell me where on the computer I can find it?)

Symptoms: Among other things:
1. adverts that keep popping up spontaneously, not just small pop-up ads, but full screen windows with their own URL
2. Two weeks ago an unsolicited search toolbar appeared on the pc (I removed it manually by uninstalling the program via Settings, Control panel, Add/remove programs)
3. Searches in google and yahoo are redirected to other search engines.
4. Sometimes clicking on a link opens a small window when a full screen should appear. Most times it suffices to click the maximize icon, but at time the full screen you get is of smaller size than you would expect it to be i.e. it does not cover the full screen (do I make myself clear?)
5. Worst off all, last Thursday, communication with insurance companies was interfered with, to the point it became impossible to e.g transfer data (a.o policies to insurance companies). When attempting to print out policies, instead of the policy we got a print-out of one of these ads that keep appearing out of nowhere.
6. Starting up the internet we get the message: "An exception occurred while trying to run ""C:\WINNT\system32\dwrsnap.dll",Umonitor" The part in bold print is different each time we start up Ö

[A lot of adverts are referred to Ė by lack of a better word Ė our pc through:
http://c.azjmp.com/az ch.php?f=4332&i=1918&sub=improper & pop=& aux = bypass=
http://ads1.revenue.net/r?site_id=13779&pplacemnt_id=1]

Actions: I've run LavaSoft Ad-aware 6 and Spybot Search & Destroy. And Iíve manually uninstalled (via the Settings, Control panel, add/remove programs) - Windows ControlAd and Search Relevancy (I think thatís what it was called). About two weeks ago I removed (via Settings etc.) a toolbar that had spontaneously installed itself - I think it was Watoti search engine, not sure). After reading a bit about spyware and browser hijacjkers I know now I shouldnít be deleting stuff, so I stopped doing that.

The Ad-aware scan now seems to come up clean. The Spybot S&D not. Spybot fixed some parasites, hijackers, spyware etc. (Nothing has been permanently deleted, everything can still be retrieved through the Spybot S&D recovery functions). But a few nasties just won't go away (either they can't be fixed by Spybot, or they keep reappearing): IgetNet, ISTbar.Slotch, CoolWWWSearch Ė the last one is very difficult to remove, I understand?

The results of the last Spybot scan:
DSO Exploit: Data source object exploit (Register-verandering., nothing done)
HKEY_USERS\S-1-5-21-1547161642-1708537768-842925246-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Register-verandering., nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Common hijacker: Redirected host (Redirected host, nothing done)
Common hijacker: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)
IGetNet: Redirected host (Redirected host, nothing done)
ISTbar.Slotch: User settings (Register sleutel, nothing done)
HKEY_USERS\.DEFAULT\Software\ISTbar
--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-15 Includes\Dialer.sbi
2004-12-16 Includes\Hijackers.sbi
2004-12-15 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-15 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-16 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2004-12-15 Includes\Trojans.sbi



I've run the HijackThis program. Here's the LOG:

(If there is any information in this log that violates my fatherís privacy or things that should better not be posted on a public message board, could you let me know, so I can edit it out? Or maybe you could you do so, if you have the ability to edit posts and think it preferable to delete certain data.)


Logfile of HijackThis v1.99.0
Scan saved at 23:53:44, on 20/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\FSGK32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fssm32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
D:\AnetLP\assurnet\fsav\Common\FSMB32.EXE
D:\AnetLP\assurnet\fsav\Common\FCH32.EXE
D:\AnetLP\assurnet\fsav\Common\FAMEH32.EXE
D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
D:\AnetLP\assurnet\fsav\Common\FIH32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fsav32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\AnetLP\assurnet\fsav\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\System Soap Pro\soap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
D:\AnetLP\AnetLC\Assurnet\Apicom\AsDaemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office Maxie\Office\WINWORD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ben.portima/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PORTIMA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.79.87.140:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = learningacademy.*;*.portima;www.ben.portima;*.assurnet;127.0.*;192.168.1.1;<local>
O1 - Hosts: 172.31.0.104 HASPROPAD99 #PRE
O1 - Hosts: 172.31.0.72 MAILANET1 #PRE
O1 - Hosts: 172.31.0.73 MAILANET2 #PRE
O1 - Hosts: 172.31.0.74 MAILANET3 #PRE
O1 - Hosts: 172.31.0.80 ESDANET1 #PRE
O1 - Hosts: 172.31.0.81 ESDANET2 #PRE
O1 - Hosts: 172.31.0.82 ESDANET3 #PRE
O1 - Hosts: 172.31.0.146 HASPROTAR01 #PRE
O1 - Hosts: 172.31.0.121 HTSASWAN1 #PRE
O1 - Hosts: 172.31.243.198 RB_TEMPO
O1 - Hosts: 212.79.87.30 HASPROCES01
O1 - Hosts: 212.79.87.30 pop.portima.be
O1 - Hosts: 212.79.87.30 smtp.portima.be
O1 - Hosts: 212.79.84.49 HASPROPAR04 #PRE
O1 - Hosts: 212.79.84.50 HASPROPAR03 #PRE
O1 - Hosts: 212.79.87.30 mail.portima.be
O1 - Hosts: 212.79.87.140 HASPROXY
O1 - Hosts: 212.79.84.39 learningacademy.portima.be
O1 - Hosts: 212.79.84.157 PcaHelper
O1 - Hosts: 212.79.84.46 fsecure.portima.be
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SetProxyAS2] D:\AnetLP\Assurnet\CeWeb\RunREgOn.exe -f D:\AnetLP\Assurnet\CeWeb\ProxyPar.txt
O4 - HKLM\..\Run: [F-Secure Manager] "D:\AnetLP\assurnet\fsav\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [startAS2] D:\AnetLP\assurnet\esd\esdrun.exe D:\AnetLP\assurnet\esd\startas2.dws
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CiscoConfigurator.lnk = D:\AnetLP\Assurnet\CiscoCfr\CiscoConfigurator.exe
O4 - Global Startup: Esd Check.lnk = D:\AnetLP\Assurnet\ESD\EsdCheck.exe
O4 - Global Startup: Logon Assurnet.lnk = D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Maxie\Office\OSA9.EXE
O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.agf.assurnet
O15 - Trusted Zone: http://www.agf2.assurnet
O15 - Trusted Zone: http://www.prolinknet.assurnet
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...429d2d2b4e511ef
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.olboap.fortisag.assurnet/ActiveX/smsx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b7b98998357127aa20/...ip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://159.171.108.5/activex/AxisCamControl.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp02.photoprintit.de/microsite/5/d...vex/XUpload.ocx
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O23 - Service: AutoComplete Service - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Access Express, Opdracht op afstand - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent - F-Secure Corporation. All Rights Reserved. - D:\AnetLP\assurnet\fsav\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



Phawgg advised me to limit the use of the internet while waiting for your analysis. My brothers and I, we can lay off the surfing for a while, no problem. But I donít know if the office can refrain from using the internet during working hours? Iíll ask and stress. One thing, it's essential that the programs of Portima remain intact!!!

I won't be able to clean up this mess by myself. Any help you can offer is greatly appreciated. Thank you!!!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 20 December 2004 - 10:57 PM

Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Run HijackThis! again and post a new log please.

#3 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 21 December 2004 - 05:52 PM

Thank you for your fast reply, Grinler

What does find.bat do? Does it scan the computer for pests?

Just to make absolutely sure, to reboot means to shut one's computer and start up again, yes? And by a detailed fix written up you mean an log analysis & advice as to what actions to take, posted on this topic, correct?

It's almost midnight here; they start working at the offices at 9.00., I'm sure I can ask get them to refrain from using the computer till noon -- after that I'm not sure. That will be 9 to 12 hours that the computer will not be touched. Is that sufficient time for you? Or can they open emails etc, as long as people don't log off or the computer is not shut down?

Or should I do the find.bat scan tomorrow after working hours (i.e. after 17.30 pm so that the computer can remain untouched for 15 to 18 hours.)

I will now download find.bat, after that I'll check for an answer from you.

Touse

#4 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 21 December 2004 - 06:45 PM

Here's the find.bat log (It took about 15 minutes before the log appeared, is that right?)

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

21/12/2004 23:17 223.232 guard.tmp
21/12/2004 17:16 223.232 c2000cdmef0a0.dll
21/12/2004 02:18 223.232 i6nm0g51e6.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
9 File(s) 2.010.552 bytes
1 Dir(s) 1.663.681.024 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

21/12/2004 23:18 23.457 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 45.420 bytes
2 Dir(s) 1.663.680.000 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

21/12/2004 23:17 223.232 guard.tmp
1 File(s) 223.232 bytes
0 Dir(s) 1.663.680.000 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

21/12/2004 23:17 223.232 guard.tmp
06/12/1999 14:00 2.577 CONFIG.TMP
2 File(s) 225.809 bytes
0 Dir(s) 1.663.675.904 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\i6nm0g51e6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"





Here's a new HJT log

Logfile of HijackThis v1.99.0
Scan saved at 00:46:07, on 22/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\FSGK32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fssm32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
D:\AnetLP\assurnet\fsav\Common\FSMB32.EXE
D:\AnetLP\assurnet\fsav\Common\FCH32.EXE
D:\AnetLP\assurnet\fsav\Common\FAMEH32.EXE
D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
D:\AnetLP\assurnet\fsav\Common\FIH32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fsav32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\AnetLP\assurnet\fsav\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\System Soap Pro\soap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
D:\AnetLP\AnetLC\Assurnet\Apicom\AsDaemon.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ben.portima/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PORTIMA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.79.87.140:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = learningacademy.*;*.portima;www.ben.portima;*.assurnet;127.0.*;192.168.1.1;<local>
O1 - Hosts: 172.31.0.104 HASPROPAD99 #PRE
O1 - Hosts: 172.31.0.72 MAILANET1 #PRE
O1 - Hosts: 172.31.0.73 MAILANET2 #PRE
O1 - Hosts: 172.31.0.74 MAILANET3 #PRE
O1 - Hosts: 172.31.0.80 ESDANET1 #PRE
O1 - Hosts: 172.31.0.81 ESDANET2 #PRE
O1 - Hosts: 172.31.0.82 ESDANET3 #PRE
O1 - Hosts: 172.31.0.146 HASPROTAR01 #PRE
O1 - Hosts: 172.31.0.121 HTSASWAN1 #PRE
O1 - Hosts: 172.31.243.198 RB_TEMPO
O1 - Hosts: 212.79.87.30 HASPROCES01
O1 - Hosts: 212.79.87.30 pop.portima.be
O1 - Hosts: 212.79.87.30 smtp.portima.be
O1 - Hosts: 212.79.84.49 HASPROPAR04 #PRE
O1 - Hosts: 212.79.84.50 HASPROPAR03 #PRE
O1 - Hosts: 212.79.87.30 mail.portima.be
O1 - Hosts: 212.79.87.140 HASPROXY
O1 - Hosts: 212.79.84.39 learningacademy.portima.be
O1 - Hosts: 212.79.84.157 PcaHelper
O1 - Hosts: 212.79.84.46 fsecure.portima.be
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SetProxyAS2] D:\AnetLP\Assurnet\CeWeb\RunREgOn.exe -f D:\AnetLP\Assurnet\CeWeb\ProxyPar.txt
O4 - HKLM\..\Run: [F-Secure Manager] "D:\AnetLP\assurnet\fsav\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [startAS2] D:\AnetLP\assurnet\esd\esdrun.exe D:\AnetLP\assurnet\esd\startas2.dws
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CiscoConfigurator.lnk = D:\AnetLP\Assurnet\CiscoCfr\CiscoConfigurator.exe
O4 - Global Startup: Esd Check.lnk = D:\AnetLP\Assurnet\ESD\EsdCheck.exe
O4 - Global Startup: Logon Assurnet.lnk = D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Maxie\Office\OSA9.EXE
O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: strings.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.agf.assurnet
O15 - Trusted Zone: http://www.agf2.assurnet
O15 - Trusted Zone: http://www.prolinknet.assurnet
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...429d2d2b4e511ef
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.olboap.fortisag.assurnet/ActiveX/smsx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b7b98998357127aa20/...ip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://159.171.108.5/activex/AxisCamControl.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp02.photoprintit.de/microsite/5/d...vex/XUpload.ocx
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O23 - Service: AutoComplete Service - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Access Express, Opdracht op afstand - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent - F-Secure Corporation. All Rights Reserved. - D:\AnetLP\assurnet\fsav\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



Thank you for your help!

Touse

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 21 December 2004 - 08:55 PM

Download the Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\c2000cdmef0a0.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\i6nm0g51e6.dll
C:\WINDOWS\System32\cobuireg.dll
C:\WINDOWS\System32\ruuteext.dll
C:\WINDOWS\System32\n82u0if9e82.dll
C:\WINDOWS\System32\jtnm0751e.dll
C:\WINDOWS\System32\stbrsrc.dll
C:\WINDOWS\System32\ktjql7151.dll



Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.


Double-click on find.bat and post the new output.txt.

#6 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 December 2004 - 04:03 PM

First attempt to run find.bat: I got an error message (WINNLOG has generated ...) and the computer automatically rebooted.

Here's the find.bat output txt of the second attempt:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

22/12/2004 21:02 223.232 UIfwordw.dll
22/12/2004 21:02 224.972 n04slah71d4.dll
21/12/2004 23:17 223.232 mvpml9711.dll
21/12/2004 17:16 223.232 c2000cdmef0a0.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
10 File(s) 2.235.524 bytes
1 Dir(s) 1.632.946.688 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

22/12/2004 21:05 23.543 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 45.506 bytes
2 Dir(s) 1.632.946.688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

06/12/1999 14:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 1.632.942.592 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\c2000cdmef0a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




---------------------------------------------------------------------------

A new symptom of the disease?: When I got to the computer this evening I noticed three shortcuts have appeared on the desktop -- I think spontaneously.
They're clearly ads: "online-dating", "Cheap holiday travel" and "free online music" I haven't opened them, but the yellow bar which appears if you move the mouse over them showed this URL http://www.zestyfind.com/... Should I go to that site, find the uninstall instructions and delete the shortcuts & the program? Or do I just leave it alone for the time being?

Do the same conditions as yesterday apply (no Logging off and no rebooting)? Or can I shut down the computer for the night?


Touse

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 22 December 2004 - 04:07 PM

Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\UIfwordw.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\n04slah71d4.dll
C:\WINDOWS\System32\mvpml9711.dll
C:\WINDOWS\System32\c2000cdmef0a0.dll
C:\WINDOWS\System32\cobuireg.dll
C:\WINDOWS\System32\ruuteext.dll
C:\WINDOWS\System32\n82u0if9e82.dll
C:\WINDOWS\System32\jtnm0751e.dll
C:\WINDOWS\System32\stbrsrc.dll
C:\WINDOWS\System32\ktjql7151.dll



Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.


Double-click on find.bat and post the new output.txt.

#8 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 December 2004 - 04:46 PM

I followed your instructions. After the last step (having clicked "yes" at the pending operations prompt to restart the computer), the computer didn't restart but gave me the following message: "Pending File Rename Operations Registry Data has been removed by External Proces". You get one option, namely to click "ok". I did so. But the computer didn't restart. Is that normal? Should I just close everything and restart manually?

touse

#9 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 December 2004 - 05:27 PM

I restarted the computer manually and ran find.bat.

Here's the new find.bat output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

22/12/2004 22:54 224.972 msiavi32.dll
22/12/2004 22:51 223.232 s8880ilue8q80.dll
22/12/2004 21:02 224.972 n04slah71d4.dll
21/12/2004 23:17 223.232 mvpml9711.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
10 File(s) 2.237.264 bytes
1 Dir(s) 1.632.979.968 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

22/12/2004 22:58 23.586 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 45.549 bytes
2 Dir(s) 1.632.979.968 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

06/12/1999 14:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 1.632.975.872 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\n04slah71d4.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#10 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 December 2004 - 06:11 PM

I just checked the internet history log and I noticed that one of my brothers has been surfing the net this afternoon. Sorry, I've tried.

touse

:thumbsup:

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 22 December 2004 - 07:50 PM

Download VX2Finder from this link:

http://tools.zerosrealm.com/VX2Finder(126).exe

or

http://www.downloads.subratam.org/VX2Finder(126).exe

Run Vx2Finder and click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

#12 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 23 December 2004 - 02:20 PM

Here's the VX2Finder.log:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---Explorer
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---wzcnotif


Guardian Key--- is called:

User Agent String---
{09885751-33EE-4FC5-9FEA-4A406B194A89}


I appreciate your help, Grinler, especially since you could be doing more pleasant things during the holidays.


Touse

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 23 December 2004 - 05:19 PM

Reboot into safe mode and do the following:

Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\UIfwordw.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\n04slah71d4.dll
C:\WINDOWS\System32\mvpml9711.dll
C:\WINDOWS\System32\c2000cdmef0a0.dll
C:\WINDOWS\System32\cobuireg.dll
C:\WINDOWS\System32\ruuteext.dll
C:\WINDOWS\System32\n82u0if9e82.dll
C:\WINDOWS\System32\jtnm0751e.dll
C:\WINDOWS\System32\stbrsrc.dll
C:\WINDOWS\System32\ktjql7151.dll



Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.


Double-click on find.bat and post the new output.txt.

And its my pleasure to help :thumbsup:

#14 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 23 December 2004 - 07:13 PM

The new Find.bat output.txt:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

24/12/2004 00:14 224.972 pfxdll.dll
24/12/2004 00:14 225.759 jt8s07l7e.dll
23/12/2004 23:47 224.972 hr8205loe.dll
22/12/2004 22:54 224.972 msiavi32.dll
21/12/2004 23:17 223.232 mvpml9711.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
11 File(s) 2.464.763 bytes
1 Dir(s) 1.621.965.312 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

24/12/2004 00:17 23.629 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 45.592 bytes
2 Dir(s) 1.621.965.312 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

06/12/1999 14:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 1.621.961.216 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hr8205loe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"





touse

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:28 PM

Posted 23 December 2004 - 11:00 PM

Hi, sorry for this delay

Here is a revised removal method:


Download the Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

c:\windows\system32\pfxdll.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.
Repeat steps 4-8 above for these files:



c:\windows\system32\jt8s07l7e.dll
c:\windows\system32\hr8205loe.dll
c:\windows\system32\msiavi32.dll
c:\windows\system32\mvpml9711.dll
c:\windows\system32\cobuireg.dll
c:\windows\system32\ruuteext.dll
c:\windows\system32\n82u0if9e82.dll
c:\windows\system32\jtnm0751e.dll
c:\windows\system32\stbrsrc.dll



Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

c:\windows\system32\ktjql7151.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.


Double-click on find.bat and post the new output.txt.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users